Google Threat Intelligence Group (GTIG) said on Feb. 25 that Google and certain of its cybersecurity partners disrupted a global espionage campaign that the group confirmed had hacked 42 countries and suspects infected at least 20 more.
GTIG has tracked the group as UNC2814/Gallium since 2017 and suspects it to be Chinese.
“This prolific, elusive actor has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas,” the report reads.
The campaign is characterized by stealth tactics and the targeting of cloud-hosted products to disguise its traffic. The group stated that this campaign is distinct and separate from Salt Typhoon, a major Chinese regime-backed cyberespionage campaign.
“This was a vast surveillance apparatus used to spy on people and organizations throughout the world,” said John Hultquist, GTIG chief analyst.
GTIG said its disruption efforts have terminated the group’s access to a backdoor, disabled its infrastructure, and revoked its accounts and access to relevant Google products.
The campaign came on the heels of the discovery of a novel backdoor the group used that Google tracks as Gridtide, “a sophisticated C-based backdoor with the ability to execute arbitrary shell commands, upload files, and download files.”
Charley Snyder, GTIG senior manager, said the backdoor was installed on a system that had access to phone numbers, dates and places of birth, voter IDs, and national ID numbers.
The group’s recent activity has targeted telecommunication providers and government organizations, according to the report.
“This prolific scope is likely the result of a decade of concentrated effort,” the report reads.
Google recently warned that foreign adversaries are targeting the U.S. defense industrial base in cyberspace. In a Feb. 10 report, it said that groups in Russia, North Korea, and primarily China have carried out sustained cyberattacks in recent months, the most active ever observed and posing “significant risk to the defense and aerospace sector.”
In both reports, Google found that edge devices were being exploited, highlighting the trend of malicious cyberactors targeting hardware such as routers, controllers, sensors, and smart devices that don’t have the same level of security as devices at the center of a network.
